Deploying printers with Group Policy Preferences is the superior way to deploy your printers. Here is the great thing about deploying printers this way: you don’t need anything special and it can deploy IP, local, or shared printers!

As long as your clients support Group Policy Preferences (which runs on XP SP3 +) and you have a print server, you can deploy printers with Group Policy Preferences. Before you deploy your first printer, you need to answer two questions first:

What to do Before Deploying Your First Printer

How many printers do you plan to deploy?

If you have less than 50 printers, you can create a single dedicated Printer GPO. If you have many sites or a sites with many printers, you’ll likely prefer several printer GPOs (one per site). That recommendation comes from my personal experience with printer management. Just like any new addition to Group Policy, you will also want to decided on a naming convention before setting up your first printer preference. You should have standard names for your printer GPOs and the individual preference items.

To give you an example, my environment has 20+ sites. Every site has a site prefix. Each site has a dedicated printer policy named Printers: SITE PREFIX. Printers are named like this: SITEPREFIX_LOCATION_MODEL. The printer name in the preference will always match the printer name on the print server.

Will you deploy printers from the Computer Configuration or User Configuration node?

Deploying printers from the computer configuration node is quite a bit faster than the user node. If you auto wake-up your computers before the work day begins, your users never even see the printer install. There is one downside to computer side printers; you can’t set one as the default without some trickery.

Printers deployed under the user configuration will allow easier management. You can configure printers to set themselves as the default. You can also change a printer preference (such as duplexing) without redeploying the printer. If you use print queue management software (like Print Manager Plus), you must use a user side printer. The downside is the printer installation will be slower. Every new user logging onto the computer will have to wait as the printer installs. If you have multiple user side printers, users can easily become frustrated.

My recommendation: When possible, use computer side printer preferences.

Creating the Printer Preference

In the GPMC, create a new GPO named Printers: DOMAIN-NAME or Printers: SITE NAME. I am going to make the assumption that you already have a print server and you already have printers on that server. I will also assume that you the relevant drivers installed. If you have a X64 Print Server and you have X86 clients, the Print Server will need the X86 drivers. When possible, I recommend using universal printer drivers (such as those provided by HP).

Edit the GPO and navigate to Computer Configuration/Administrative Templates/Printers. Disable “Point and Print Restrictions”. This will allow your clients to install drivers from your Print Server.

Computer Configuration: IP Printer

For our first example, we are going to setup a computer side IP printer. Under Computer Configuration/Preferences/Control Panel Settings, select Printers. Right click and select New – TCP/IP Printer. Enter in your printer’s IP address, a local name, and the printer path.

The local name can be different than the printer path. For troubleshooting purposes, I prefer to keep them the same though. If your printers get an IP through DHCP (and you don’t use reservations), you should probably use a DNS name instead of an IP. Next, change the Action from Update to Create. This will ensure that the printer only installs once. Finally, select the Common tab and set any Item Level Targeting (if needed). The two most common targets are by OU and by security group type.

What would be the preferred method to deploy printers in a virtual desktop environment, where the local computers that the user is connecting from and the virtual desktop they receive are both on the domain. Basically, we want the virtual desktop to receive the printer mapping, but not the local computer.

I would use environment variable preferences to create a variable on your local computers. I would then add an Item Level Target to the printer preferences to say “apply this if the variable is not found”.

So here’s an interesting discovery.
I’ve found that printers when deployed through Group Policy Computer Preferences, will not add to a user’s computer, unless I add the “Domain Computers” security group to the ACL of the Printer’s security settings on the Print server.
How come I’m not seeing this documented anywhere? Am I doing something wrong by not adding that?
Otherwise there is an error given in gpresult “0x80070005” but nothing about access denied or anything.

This is something that was recently changed by Microsoft with very little warning. Essentially, many GPOs will not apply if the security filtering does not include either a) “Authenticated Users”, or b) “Domain Computers” (which is part of Authenticated Users group). This is a security update and is intended.

If you are targeting people/groups via this method, it is advised to revert the filter back to default (authenticated users or domain computers), and target the correct people/groups via Item-Level-Targeting.

So if this is my first printer, what’s the recommendation of adding it and sharing? Should you add the printer from Printer Management console?
Or from the Printers applet in the control panel?
I feel like some steps are missing.

Also how would you have Computer Setting policy in a single GPO for up to 50 printers in a single site? How are you targetting who it’s applied to then? Computer security groups in scope filtering?

You would use Item Level Targeting on each of the printer preferences. You would have 50 printer preferences in a single GPO and each preference would have a target on it. The target could point it to a group of computers based on name, group membership, OU, etc.

This is a great way of doing it but unfortunately doesn’t seem to propagate all settings from a 2012 R2 print server. Duplex for example. Also, we’re using Xerox printers and it doesn’t propagate the SNMP community settings (under the Configuration tab of the universal driver) either. It’s frustrating because I wanted to swap over to this method as we are currently using one GPO per printer and using the Computer Configuration -> Policies -> Windows Settings -> Deployed Printers method. This does at least deploy the printer as a shared printer rather than local printer and therefore, in our experience anyway, it does bring the printer preferences (such as duplex settings etc) across.

Hey Ben – for HP printers, it will propagate the printer settings including duplex. There are a few places that it has to be set on in the printer properties on the server. I would imagine Xerox requires the same thing but I can’t tell you exactly where to look as I don’t have any of those printers to test on.

Hi Joseph,
Yes, those settings are set in all the possible places on the driver on the server. I found, in the end, that some of those settings (eg. duplex) do eventually come through if you use ‘Replace’ instead of ‘Create’ but it takes more than one gpupdate for it to happen. I’m still then left with various Xerox Universal driver settings that never come through. A shame as I was looking forward to amalgamating all our (over a hundred) GPOs into one single GPO 🙂
Thanks again

I’d just like to come back to this (finally started looking into this again) just to say that I’ve got it working now. I use a user policy rather than a computer policy, I set it up to deploy the printer share and I use item level targeting to target the computer in a security group. Strangely the policy works when attached to the computer OU rather than the user OU (which seems odd when it’s a user policy now and there are no computer settings in this policy anymore).
Thanks again.

I did. But I was wrong above about having to link the GPO with the Computer OU. It did actually have to be linked to the user OU in the end. I’d forgotten to unlink the old printer policies so thought it was working when actually it was doing nothing at all. Linking it with the user OU then made it work. Thanks again 🙂

Oh and one other thing. It’s a real pain with the ‘default printer’ setting. We would like full control of users’ printers so that we can either add them to a security group to receive a printer or remove them from a security group for the printer to then be revoked. This only works with the ‘Replace’ option of course and the ‘Remove this item when it is no longer applied’ setting. This really screws with the default printer setting, however. If a user has multiple printers (so they are in multiple security groups) they can only set their default printer on a per session basis, the next time they reboot the printer is naturally replaced (by the ‘Replace’ option on the GPO) so there goes the default printer setting again.

Is there any way for us to keep control of our users printers but still allow them to select (and keep) their default printer?

I’m going to have to abandon this whole method soon as people are complaining about the logon times. We do have something like 180+ printers and I presume GPO has to match against each ILT rule in the GPO. Some people are finding it takes minutes to logon now. I guess I’ll be back to the drawing board on investigating deploying printers.

Thanks Joseph. I think the difficulty was that under computer configuration you couldn’t select “New Shared Printer” which is what we’re using. You can only do new tcp/ip or local printer and we had problems, I seem to recall, using anything except a shared printer. I think it wasn’t pulling through the printer defaults possibly.

Have you had any dealing with Canon print drivers? I have 3 Canon copiers and then quite a few HP LaserJets that I’m trying to deploy with GPP. The HP’s install just fine without any interaction, however I have tried deploying the Canon following your steps for both computer side and user side preferences with no luck. In addition to that I have also tried disabling Point and Print Restrictions in GP with no effect. The only way I have been able to install these printers so far is to go through the add and remove wizard on each PC and enter my administrator credentials when the driver installation starts. Have you seen this before, is there any way around this?

Not that I’m aware of. I spoke with Microsoft on this as well their recommendation was to use the Printer Deployment in Group Policy vs Preferences and that has worked I can deploy the copy machines this way since they will be available to everyone anyways. I was just hoping to keep everything all in one place.

I have been using GPP’s for printers for about 3 years with good results: 1 GPO, configured for User, 46 TCP/IP printers, and ILT to security groups to give each office its specific printer(s). We are now replacing all of those printers and I had hoped I could just change the Name and Printer Path (IP is staying the same) for each printer listed in the GPO and set the action to Replace. It doesn’t work – the existing printers remain and the new ones are not added. I’ve experimented with different Common settings without success. Shouldn’t Replace do what I’m trying to accomplish?

By the way, when creating TCP/IP printers, I have found it only necessary to share 1 printer of each model, as a source for drivers, since users are printing to the IP address and not the Share.

Hi, replace will only change the printer if the previous one was also set to replace. You could either change all the old printers to replace mode and then edit to be the new ones when that’s had a chance to filter down, or set the old ones to delete and create new ones, then set yourself a reminded to remove the delete action printers after a time.

Building on Ed’s solution, I prefer to copy the existing preferences, change them to delete, and paste. Then I have two copies of each preference. One that deletes and one that creates/updates. I then change the settings (name, printer path) on the create preferences.

I set the deletes to run once and do not apply again. Be sure that the deletes have a lower number than the creates. That will cause them to process first.

Joseph,
I work in a school with roaming profiles for the students. The problem I have is that whether the printers are set by computer or by user in GPO the printers follow the students. It seems that the connection gets registered in their profile. I have tried deleting shared printers, ILT but to no avail. What is the best practice for setting up the printing environment for roaming users so that the printer connections do not follow them.

There is a registry setting which you could test in your environment. You can set
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Print\Providers\Client Side Rendering Print Provider\RemovePrintersAtLogoff to 1.

Thank you for the great tutorial (and follow-up comments) on gpo deployed printers. I have a minor nit question: how do you get the device metadata to deploy with the printer? I can create a local printer and the metadata (with the manufacturer’s icon) is created in users\local\….. as expected. However, the deployed printer has no such metadata and thus, uses the MS default icon. Is this something I am doing wrong or is it just a wish that the users might be presented with a printer-specific icon?

Hi,
Thank you for this great guide. I tried applying this in a test RDS environment (2008R2) and while I can get the printers added, I can’t seem to delete them.

I’ve added the printer on a print server.
In an new GPO, I’ve gpne to user settings>Preferences>Control Panel Settings>Printers. I’ve created a shared printer and have used targeting to deploy the printer to a Terminal Session, RDS, with a client netbios (xyz) name. This works fine. I have then added a delete using the same method, targetting a client if the client name is not xyz. However, this does not work. If however, I run gpupdate, it will remove the printer. Not sure why this is happening. Can you please help?
Thanks,
HA

Hi,
Yes that’s correct. The printer will not delete until I manually run gpupdate or wait for the default refresh. It’s only happening with the delete option. I can add printers, and make them default correctly as I access the RDS servers from different clients. I’ve even tried creating a standalone GPO that I apply to the RDS servers where all it is meant to do is delete the printers using GPP.However, this doesn’t work either. I’ve also unlinked the other GPOs from the RDS OU and blocked inheritance for testing but it has no effect. I’ve also set the GPO to wait till the network is up but that didn’t help either.
Thanks,
HA

Shared printers are added just fine, but the Delete all shared printers i have put at the start do not work at logon. This means that when a printer is removed from the print server it is still visible (but unusable) to the users.

Delete all works better with gpupdate, but still miss some when there are more than a handful shares.

This is good information. I’m trying to deploy using GPPP; almost got it figured out how to assign default printers by Computer Configuration (as my users move around a lot).

For some reason, on 2008r2, when deploying IP printers, it’s the FIRST printer that becomes default, not the last.

Additionally, currently each user has their printers connected manually (which is a Shared Printer), and Computer Configuration can’t delete Shared Printers. So I guess I’ll have to make a separate GPO with a User Policy to delete all Shared Printers?

This would all be so much easier if a) GPP can make IP printers via Computer Config as default, or b) GPP can make Shared Printers via Computer Config…

You will either need to setup a separate user side printer to delete their connections or enable loopback policy processing. If you enable loopback, you can set the delete preference up in your computer side printer GPO.

I’ve think I’m just going to have to bite the bullet and use User Configuration.

Seems to work as intended. The policy is applied after the desktop appears – I can watch as printers appear one by one on a fresh computer. So it doesn’t slow down the logon at all; just a small delay until all of the printers are created/updated (by the Update deployment).

This method seems to be the clearest way to do this, so that others can follow in my footsteps easily.

User Config:
1. Delete all Shared Printers (bye!)
2. Delete all IP Printers (apply only once, so we’re not reinstalling each time)
3. Update all IP Printers (eg Printer1, Printer2, Printer3…) so each User gets every printer.
4. Update each IP Printer again, as default, targeted to the correct OU (so each printer gets Updated to Default, but only if the User’s computer is in the correct OU)

Then simply add the Point-and-Click-Restrictions to Disabled to the Computer Configuration and apply to the computers OU.

The additional bonus is that I can use method this as a single GPO, instead of one per Computer OU that I would have to do under Computer Configuration.

Joseph, thanks for the article,
we are using user configurations policies with ILTs..
what i dont understand is.. how exactly the computer side conf will work with user type filters (the logic behind it).
for example:
users side conf: created print A if the user is a part of group B.
now when users log into the computer (and they get that policy) it will check if it needs to create the printer while logging in.
computer side conf: create Print A on this computer If user is a part of group B.
could you explain how that works?

after re-testing (again..) on win7 64bit clients, the following issue emerges:
now its final, when choosing “create” it will always recreate the printer meaning personal user printer settings will be deleted (which is something we rather not have)..
i would like to add a wmi filter for each printer creation that will check if the printer is already installed. i have seen some of the commands but its my first time using any wmi filter in general, not to mention in GPP.
could you assist?

An easier way of doing this is a registry ILT. Create a new ILT Registry item that checks to see if HK Current User\Printers\Connections\NameOfPrinter exists. Change out HK Current User for HK Local Machine is it is a computer configuration preference.

If you are deploying a Computer Side printer, you can’t use an ILT that looks for the “user in group”. That option is greyed out because the computer wouldn’t know which user to look for. Does that answer your question?

Hi!
I Have 1 AD Security group for each shared printer, I have one GPP that map the printer if the user is in the security group that belong to the printer. And one GPP to delete the printer if the user is NOT member of the security group. The security group is also applied in “Security” tab on the printsrv with PRINT rights and “everyone” is removed. This works 100 % on Windows 7 clients and Windows 2003 Terminal Servers. But on Windows 2008 R2 RDS this dont work. No warning in any logs, and the gpresult shows that the gpo setting applyed sucessfully. The only way I can make the Delete policy work is if i give the user print rights on the printer on the printsrv. Looks like for the policy to work on 2008 R2 the user must have print rights on the printer object on the printserver. The GPP Delete Policy will not delete printers that have status : access denied. Anyone else had this problem?

I haven’t seen that issue (yet). As a workaround, you might be able to use a more advance Item Level Targeting + setting the Action type to Replace + enabling Remove This Item when it no longer applies.

Hey.
I have tried it, but it does’nt work. And if i use Replace mode my users will loose their default printer when the printers are deleted and recreated at logon ( not a good solution ). I have tested with a GPP Delete policy with no ILT, just to see if the printer is removed, but as long as the user don’t have “Print Access” on the shared printer it will not be removed, If i manually add the user with print access in security on the printer on the print server, the policy works. Beginning to wonder if this can be ha bug in Win 2008 R2

I setup a Win2008 R2 print server and have all my printers created (about 20) and now i want to be able to assign user accounts to certain printers. I thought I would create AD groups named after the printers, then assign user accounts to those groups thus getting them that printer. I’m struggling figuring out how to do this without creating a GPO for every printer. What is the best way to do this?

It sounds like you need Item Level Targeting! With ILTs, you assign a filter to each printer. The filter would say that the user must be in the specified security group to get the assigned printer. This will get you started: http://technet.microsoft.com/en-us/library/cc733022.aspx

I am trying to use item level targeting with netbios computer name wildcards. An example would be JH07* for computer names JH0701 through JH0724. However, the printer deploys to everyone in the OU that I linked it to.

All our computer names are JHxxxx such as, JH3501, JH3502, etc.
JH is the campus, 35 is the room number and 01 through whatever is the computer number.
By the way. Thank you so much for looking at this with us. We are a small school district and your help is greatly appreciated.
I see that the xml file I posted did not show up. I am trying again.
Here it is with all the tag syntax removed.
++++++++++++++++++++
xml version=”1.0″
PortPrinter bypassErrors=”1″
uid=”{B6A8A1DF-E5B9-40E2-A756-53B67B1E47B8}”
changed=”2013-11-12 21:37:48″
image=”0″
status=”10.40.192.55″
name=”10.40.192.55″
clsid=”{C3A739D2-4A44-401e-9F9D-88E5E77DFB3E}”
Properties deleteAll=”0″
path=”\\PRINT-2K8\JH-LibOff”
useDNS=”0″
skipLocal=”0″
default=”0″
comment=””
localName=”JHLib”
location=”Library Office”
action=”C”
ipAddress=”10.40.192.55″
Filters
FilterComputer name=”JH35*”
type=”NETBIOS”
not=”0″
bool=”AND”
Filters
PortPrinter
+++++++++++++++++

I should have mentioned that I have tried JH35??. I have also tried creating a security group for the computers and applying the deployment to that. Could this be caused by a different GPP somewhere else in our domain?

In your article you make the following comment “There is one downside to computer side printers; you can’t set one as the default without some trickery”

How did you do this?

I am deploying printers via GPO using Item Level Targeting using TCP/IP and settimng it to process against the computer rather than the user. I am using the replace mode so as new printer drivers come online or are updated they are reinstalled. Problem everytime GPO refreshes or desktop reboots the default printer gets assigned to the last printer for the IP range I have defined.

I have an average of 12 printers on a 24 floor building I cannot decide for the suer which is the default printer. Any help appreciated.

Curious what your thought are on adding and deleting user printers every logon / logoff via gpo got a coworker who’s on glue who thinks this is reasonable, I’m of the opinion this is needlessly inflating the logon time every day.

hey,
ive started playing with the settings and there is a way to make your co-worker happy.
we have 2 different actions for each printer (set on for users),
first one is delete the printer- if the user isnt a part of an object/s (AD ou/group) [if there are a few groups / OUs that should be getting the printer, the condition is “IS NOT” “AND” @ the ILT)
the other used to be update but we changed it to “create” in order to keep user’s settings (some people change the settings of the printer, update pulls the server’s side parameters of the printers each time while create does that once and wont make any changes if the printer is already installed).
im still testing it but i have to admit.. this guide is great, i havent used it myself because we already done implementing.. although im still missing some query that i would like to add.

Just want to chip in my opinion. We initially use “replace” and deploy printer by targeting AD group. This method makes it easy to keep track who’s printing to that particular printer. When a user changes printer, we remove them from the AD group so it automatically removes the printer. The method doesn’t work 100% for us because we found that sometimes printer got delete at logon but didn’t get mapped back. Another problem with this method is that the default printer will change randomly.

Nice article. Our company uses printer preference to deploy printer via “update” and “replace” mode, recently we’ve encountered weird issues. When user logged in and their printers get mapped, if you remove the device from “devices and printers”, next time they login the printer won’t map again. In order to get it working again, we have to type “gpupdate /force” and reboot. There’s no error in event log. Just wondering if you have encounter this issue? Thanks

I figured out the problem. Initially we only deployed printers with the “replace” setting and we received complaints about printers disappearing randomly during the work day. To fix this issue we had to enable “Printers preference extension policy processing” with the setting “Do not apply during periodic background processing”. However recently, we discovered that after the printer is mapped and if user accidentally remove it, it wouldn’t map when user login next time without typing “gpupdate”. So to fix this issue we have to use “update” mode and disable “Printers preference extension policy processing”. LOL basically we went around circles.

We deploy printers with user preferences, log on times have not been an issue for physical machines, but for VDI’s had to amend this to a log on script because processing the Printers GPO section during log on was taking too long, recent tests show times of approx. 50 seconds average for the printers. Mapping the same printer queues for VDI’s with a log on script considerably speeds up logon times but we would prefer to use prefs. Enabled GP logging but cannot see any cause in the log files, other than the timescales are longer for VDI compared to physical.

What type of Action did you use – “update” or “replace”? Replace will reinstall the Printer Driver each and every time…
But anyway – I agree that for Printer assignment, a logon script (or “run These programs at Startup”) is the better solution in most cases where Performance is an issue.
regards, Martin

If you delete the Queue at logoff,, the Driver will be reinstalled at logon… So that’s not a solution. In fact, ensuring ONLY current Printers are present at all is not a Goal that’s easy and well performing through GPP…

Thanks to you one of my new favorite things to do is deploy printers via GPP. Unfortunately I’m needing to be able to force a printer to be default and I’m using Computer Configuration mode. What is the trick to set a printer as default without having to use User Config mode?

With printers, the last created printer is the default! So if you have two printers going to a lab, preference 2 (the second in the list) will write after preference 1.

This orderly can get tricky at first but after you have it set, you will be good to go! The only thing to watch out for is software generated printers (KESI virtual printers, Smart Notebook printers, etc). A few of them can write after a user login.

And thank you for letting me know that you appreciate the articles! The blog is more work than I thought! 🙂

jm2c: If you need total control, set the printer in user configuration and add some Item Level Targeting… WMI queries on WIn32_Printer are helpful, maybe registry keys or values, even computer names or security groups (these will make the user configuration behave like it were computer configuration). Since I don’t know what your requirement is to not use user configuration, I cannot give a full featured answer 😀

Thank you Martin! Personally, I’ve found computer configuration printers helpful because of the decreased logon time. You are absolutely right about total control being on the user configuration side though!

Perfectly true 😉 It’s all about user experience and fast response, so we (our company) use asynchronous logon scripts to map printers (to be precise – logon scripts run synchronously, but we map printers with “run these programs at logon”). This has some impacts with badly designed applications, of course (Adobe Reader was famous, Lotus Notes still is – both enumerate printers at startup and not at “printing time”), but it eliminates any time lag…